Sandboxing Security: A Practical Guide

What is Sandboxing Security?

Sandboxing security techniques and tools enable you to move suspicious software and files into an isolated environment—a sandbox—where the threat is tested. A sandbox is designed to mimic production environments, but it is deployed safely away from your real assets.

A major advantage of sandbox environments is the ability to isolate threats. Once the threat is isolated, you can test and analyze it, usually by “detonating” the suspicious file and causing it to deploy its malicious payload. The information gathered from the analysis can help you protect your systems from similar threats—essentially turning a zero-day threat into a known factor.

There is a wide range of sandboxing security solutions. Typically, a solution provides capabilities for analysis, pre-filtering, visualization, emulation, anti-evasion, and threat intelligence.

How Does Sandbox Cyber Security Work?

Sandbox security testing proactively detects malware by running suspicious code in a safe and isolated environment, and monitoring the behavior and outputs of the code. This is known as “detonation”.

The major advantage of sandbox-based security testing is that it can reliably detect unknown threats. Other methods of testing, both traditional signature-based methods, and modern behavioral analysis based on machine learning (known as featureless detection), are limited in their ability to detect unknown threats.

These traditional methods are only as good as the threat databases and models that support them. The sandbox technique provides an additional layer of defense, making it possible to test payloads that passed other detection techniques, but may still contain threats.

There are three primary ways to implement a sandbox for security testing:

  • Complete system emulation—the sandbox simulates the host’s physical hardware such as CPU and memory to gain a comprehensive understanding of program behavior and impact.
  • Operating system emulation—the sandbox emulates the end user’s operating system, but does not accurately simulate system hardware.
  • Virtualization / containerization—this method uses a virtual machine (VM) or container to run software in an isolated environment.

Because a VM or container is not an identical environment to a full operating system, there is lower confidence that malware will behave in the same way as it does on a real endpoint. However, VMs and containers are easier to deploy and require less system resources to run compared to full OS or complete system emulation.

Related content: read our guide to application sandboxing.

Using Sandboxes to Detonate Malicious Payloads

Malware typically distributes payloads (macros, scripts, hyperlinks, files) when copied or downloaded to a device, or when a file is opened. Sandbox systems with detonation features can automatically analyze files and identify suspicious activity.

Some popular sandbox solutions do not provide detonation capabilities out of the box—but it is still possible to “play around” with malicious software to investigate its behavior. Other solutions have built-in, automated security testing features.

Typical Workflow for Sandboxing Detonation

If the malware doesn’t immediately activate its payload, the sandbox system can attempt to trick the malware into deploying, by changing certain virtual machine settings (such as date and time settings), or restarting the VM. Sandbox engines can also simulate different system properties that may trigger malicious behavior.

typical workflow for detonation is as follows:

  1. The sandboxing system detects content that is suspicious and needs to be tested.
  2. Content is moved to the sandbox environment.
  3. The end user is notified that the content is being tested.
  4. If the content is safe, the user can retry the download or attempt visiting the website again. If not, the content is blocked and administrators are notified.

Payload Detonation Best Practices

Here are a few best practices that can identify malicious payloads more effectively.

  • Use variable durations—sandboxes typically analyze malware for a few seconds, but this does not capture many malicious behaviors. Some of the most damaging types of malware lie dormant for some time and are only then activated. Long-term analysis greatly increases the chances of detecting this type of malware, but because this has a high resources cost, a best practice is to randomize the sandbox’s sleep settings, increasing the chance of capturing malicious activity.
  • Use realistic software and hardware settings—some malware checks the size of your hard drive, latest files created, CPU capabilities, operating system version, amount of memory, and other system characteristics. Use realistic settings in your sandbox or virtual machines to elicit malware to perform its intended behavior.
  • Real time monitoring—prefer a sandbox tool that monitors how malware interacts with the virtualized system, including calls to system APIs by malicious programs, and recording stack traces.
  • Dynamic sandboxes—prefer a sandboxing method that lets the sandbox interact with the malware and simulates processes to find additional paths of execution. This can also help you counter sandbox evasion techniques used by sophisticated malware.

How to Choose Sandbox Security Software

Here are some of the key capabilities you should look for in a sandbox security solution:

    • Analyzing a variety of suspicious objects—a sandbox should be able to analyze executables, DLLs, PDFs, Microsoft Office documents, Java and Flash programs, and any other artifact that may be used in your environment.
  • Analyzing web content—modern sandboxes can detect browser vulnerabilities and malicious websites by analyzing JavaScript and HTML elements on web pages. Related content: read our guide to web filtering.
  • Pre-filtering—sandboxes should attempt to minimize the number of objects sent to the sandbox for analysis, reduce analysis time and false positives. These techniques include static code analysis, antivirus scans, threat intelligence feeds, and other methods of identifying malware without sandbox analysis. Only if an object cannot be identified as suspicious, it is sent to the sandbox.
  • Combination of virtualization and emulation—for sandboxes running in production, it is not feasible to emulate the full stack. Virtualization-based methods can be combined with emulation methods to analyze suspicious objects. The emulation method uses a layer of software that mimics an application, operating system, or hardware platform.
  • Fine-grained emulation—the sandbox solution should provide the ability to emulate hardware, system properties, and software, including specific minor versions of the operating system or software that is targeted by the malware.
  • Anti-evasion—sophisticated malware can try to detect sandbox environments. Most commonly, malware will try to detect the presence of a hypervisor, which can indicate the code is running in a sandbox. Some sandboxes may use custom hypervisors to avoid detection, but this limits the ability to accurately simulate the end-user environment.
  • Threat intelligence—a security sandboxing solution should combine testing with threat intelligence data, to understand the identity and motivation of the attackers. This can help incident responders determine whether the malware is part of a targeted attack or advanced persistent threat (APT), or an automated or mass distributed attack.

Sandboxing Security with Hysolate

Looking for a managed sandbox solution to isolate risky or sensitive activities on a user’s endpoint device? Hysolate can be used as a sandbox, where developers or researchers can download open source-code repositories, access training videos over YouTube, as well as for productivity and communication tools like Zoom and Slack. Users can have full access to all the websites and applications they need to do their jobs, but these activities are contained within a corporate-managed Windows10 sandbox.

Hysolate is more than just a sandbox, it’s a full OS isolation solution for Windows10, splitting your endpoint into a more secure corporate zone and a less secure zone for daily tasks. This means that one OS can be reserved for corporate access, with strict networking and security policies, and the other can be a more open zone for accessing untrusted websites and applications.

Hysolate has several advantages over traditional sandbox solutions. It sits on the user endpoint so provides a better UX, but is managed by a granular management console via the cloud. This means that admins can monitor and control exactly what their team is using the sandbox environment for, and can easily be wiped if threats are detected. Hysolate is easy to deploy, and can be scaled to your entire team, not just the technical members. Hysolate sandboxes applications, websites, documents and peripherals, gives you better security, and manageability, including the ability to choose to keep apps persistent within the sandbox.

Try Hysolate Free, a Windows10 sandbox on steroids here.